September 23rd, 2006 08:54 EST
Potential Breaches of Personal Identity Data US Department of Commerce
The Department of Commerce today announced information from its recent Department-wide reviews of missing, lost or stolen laptops and potential breaches of personal identity data. The Department continues its review and is not aware of any data being improperly accessed or used. The information gathered from the reviews indicates that the Census Bureau had the disproportionate share of missing equipment and data. The reviews were in response to broad, government-wide Congressional and public inquiries.
Based on the review in response to the public inquiry, the Department determined that within its 15 operating units for the years 2001 to the present, out of over 30,000 laptops within the Department’s inventory over that time period, 1,137 were either lost, stolen or missing. Of these laptops, 249 contained personally identifiable information (PII), although access passwords, complex database software, systemic safeguards and/or encryption technology significantly limit the potential for misuse of data on the laptops.
A separate review in response to a request for information from the House Committee on Government Reform Chairman Tom Davis (R-VA) regarding the loss or compromise of any sensitive personal information from 2003 to the present found that there were 297 instances. These included: 217 laptops; 15 handheld devices; 46 thumbdrives; and the rest involved documents or other materials.
“We have an obligation to be good stewards of public property and government data. The amount of missing computers is high, but fortunately, the vulnerability for data misuse is low. While we know of no instances of personal information being improperly used, we regret each instance of lost material and believe the volume of lost equipment is unacceptable,” said Commerce Secretary Carlos M. Gutierrez. “All of the equipment that was lost or stolen contained protections to prevent a breach of personal information, and we are moving to institute better management, accountability, inventory controls, 100% encryption, and improved training.”
Information on the two agencies within the Department that have missing laptops with personal data follows:
Bureau of the Census
Most of the missing laptops were assigned to the Census Bureau, which during the last five years has used over 20,000 laptops. Every year, thousands of Census field representatives fan out around the country to compile survey data, using laptops in their work. Much of the field workforce is comprised of temporary, hourly employees paid to gather data door-to-door. Given the unique nature of the Census workforce and method of data collection, the Bureau has long had technological and procedural mechanisms in place that limit any potential breach of information.
Regarding the unique nature of the Census laptops, the Bureau indicated that they contained the following:
The Census Bureau reported:
- Technological Protections:
- every Census laptop from 2001 on requires a password to access;
- systemic safeguards ensure that once a survey is completed, the data is automatically stored on a laptop and cannot be retrieved or accessed in the field, even by the Census field Representative; and
- each laptop contains information on an estimated 20-30 households, and rarely more than 100; Field offices report that typical laptops would contain zero-to-two incomplete surveys.
- Procedural Protections:
- the survey data is contained in complex database formats requiring specialized applications to access;
- each laptop contains survey data that is regularly transmitted at the end of each day, and such data is fully removed from the laptops at the end of each survey period; and
- since 2001, the Census Bureau has been adding encryption technology on a rolling basis for extra protection, and today, all new laptops have encryption protection.
- 672 missing laptops, of which 246 contained some degree of personal data;
- 107 of these laptops were fully encrypted;
- 139 were either partially encrypted or had no encryption;
- of the missing laptops involving PII, almost half of the unaccounted laptops were stolen (104), often from employees’ vehicles, and another 113 were not returned from former employees; and
- 46 thumbdrives, all of which were fully encrypted and protected by systemic safeguards.
In addition to laptops, Census began evaluating the use of handheld devices to record survey data for testing processes in preparation for the 2010 Census. Of the approximately 2,400 in use since 2004, 15 have been lost, stolen or are missing with PII on them. All of these had encryption and required an initial password to operate the unit, and a second password to access the data that was only available to employees at Census headquarters. Unlike the laptops, it is possible for us to determine the potentially affected households, and we are in the process of contacting those 558 households even though the risk of misuse of data is extremely low.
In addition to those instances of potential breaches, the Census Bureau also reported 16 instances of non-electronic potential breaches of personal information, ranging from employee time and attendance records being lost in an office move to retirement information packages sent to the National Finance Center during Hurricane Katrina not being received. Where these potentially affected people can be identified, we are also in the process of contacting them.
The National Oceanic and Atmospheric Administration (NOAA)
NOAA reported 325 missing laptops, of which 3 contained personal data. NOAA currently has over 12,000 laptops in their inventory. In one instance, a NOAA law enforcement agent’s laptop with some case file information was stolen. On July 5, 2006, a laptop containing information (D.O.B., addresses and Social Security numbers) on 146 employees and contractors was reported stolen following a building fire in a NOAA facility in Seattle, Washington. NOAA contacted each of the affected people and offered credit counseling.
Other Department of Commerce Bureaus and Offices
The following bureaus of the Commerce Department had the following number of laptops lost or stolen in the last 5 years: Bureau of Industry and Security, 9; Economic Development Administration, 6; Bureau of Economic Analysis, 4; International Trade Administration, 42; Technology Administration, 17; National Institute of Standards and Technology, 35; U.S. Patent and Trademark Office, 9; Office of the Inspector General, 2; and the Office of the Secretary, 17. None of these contained personally identifiable information.
Four Commerce agencies, the Economics and Statistics Administration, the Minority Business Development Agency, the National Technical Information Service, and the National Telecommunications and Information Administration, had no missing laptops.
Secretary Gutierrez outlined the steps that the Department is implementing to protect against further missing laptops or potential breaches of personal identity data, such as:
- asking the Inspector General to perform an investigation at the request of the Secretary;
- directing an onsite senior Department of Commerce management team review at Census;
- instituting inventory reforms, including the creation of one comprehensive database for all departmental property;
- raising employee accountability standards;
- expanding training to raise user awareness;
- reviewing Department remote access and teleworking policies;
- where warranted, imposing disciplinary action;
- strengthening password protection policies; and
- ensuring the recommendations included in the recent Administration policies are being implemented to include:
- 100% encryption for all Department laptops;
- two-factor authentication for remote access and laptop use; and
- the reporting process for personally identifiable information.
The Department takes very seriously these high instances of missing laptops, as well as potential breaches of personal identity data. This review process has clearly pointed out the flaws in the Department’s inventory and accountability efforts going back many years. We are viewing this process with the spirit of actively rooting out the problems and addressing them immediately,” added Gutierrez.